auth-credentials: Support using pre-fetched ccache when obtaining kerberos credentials

When credentials API is used by a client-side program that already as fetched required
tickets into a ccache, we need to skip re-initializing ccache. This is used in FreeIPA
when Samba 4 Python bindings are run after mod_auth_kerb has obtained user tickets
already.

1 files changed, 12 insertions, 2 deletions

diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index 2a23688ffd..2c93a8febc 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -486,8 +486,18 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
 		}
 	}
 
-	ret = cli_credentials_get_ccache(cred, event_ctx, lp_ctx,
-					 &ccache, error_string);
+
+	if (cred->ccache_obtained == CRED_UNINITIALISED) {
+		/* Only attempt to re-acquire ccache if it is not already in place.
+		 * this is important for client-side use within frameworks with already acquired tickets
+		 * like Apache+mod_auth_kerb+Python
+		 */
+		ret = cli_credentials_get_ccache(cred, event_ctx, lp_ctx,
+						 &ccache, error_string);
+	} else {
+		ccache = cred->ccache;
+	}
+
 	if (ret) {
 		if (cli_credentials_get_kerberos_state(cred) == CRED_MUST_USE_KERBEROS) {
 			DEBUG(1, ("Failed to get kerberos credentials (kerberos required): %s\n", *error_string));